- Add badges, competitive comparison, and 30-sec demo to README - Add Production Status section showing OQS backend is production-ready - Mark PQC KEM/signing operations complete in roadmap - Fix GitHub URL - Create CHANGELOG.md documenting all recent changes Positions SecretumVault as first Rust vault with production PQC.
8 KiB
Changelog
All notable changes to SecretumVault will be documented in this file.
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
[Unreleased]
Added
Post-Quantum Cryptography (Production-Ready)
- OQS Backend Implementation - Complete production-ready PQC via Open Quantum Safe
- ML-KEM-768 (NIST FIPS 203) key encapsulation mechanism fully implemented
- ML-DSA-65 (NIST FIPS 204) digital signatures fully implemented
- Native OQS type caching for performance optimization
- NIST compliance verified (1088-byte ciphertext, 32-byte shared secret)
- Feature flag:
oqsandpqcfor post-quantum support - Hybrid mode (classical + PQC) in development
CLI Implementation
- Command-line interface for vault operations
serversubcommand - Start vault server with configinitsubcommand - Initialize vault with Shamir sharesunsealsubcommand - Unseal vault with key sharesstatussubcommand - Check vault status- Config file support via
--configflag - Feature flag:
clifor command-line tools
Examples and Demos
- Added
examples/directory with runnable demosdemo.sh- Bash demo script for quick startdemo-simple.nu- Nushell simple demodemo-server.nu- Nushell server interaction demoREADME.mdwith usage instructions
Configuration
- Enhanced configuration system in
src/config/crypto.rs- Cryptographic backend configuration- Modular config structure (vault, server, storage, seal, engines)
- Config validation and error handling
- Support for
svault.tomlconfiguration file inconfig/directory - Production config example in
config/svault.toml.example
Documentation
-
Production Status Documentation - Clear PQC production-ready status
- Updated
README.mdwith production-ready PQC badges - "Why SecretumVault?" section with competitive comparison
- "30-Second Demo" for quick start
- "Production Status" with backend comparison table
- "Quick Navigation" for different user personas (Security Teams, Platform Engineers, Compliance Officers)
- Updated GitHub URL to correct repository (jesuspc/secretumvault)
- Updated
-
Architecture Decision Records (ADRs)
docs/architecture/adr/001-post-quantum-cryptography-oqs-implementation.md- ADR index in
docs/architecture/adr/README.md
-
User Guides
- Expanded
docs/user-guide/howto.mdwith detailed how-to guides - CLI usage documentation
- Unseal procedures and best practices
- Expanded
-
Development Guides
- Updated
docs/development/pqc-support.mdwith OQS implementation details - Updated
docs/development/build-features.mdwith feature flag documentation
- Updated
-
Architecture Documentation
- Enhanced
docs/architecture/README.mdwith PQC architecture - Updated
docs/README.mdwith navigation improvements
- Enhanced
Secrets Engines
-
Transit Engine Enhancements
- Expanded encryption/decryption operations
- Key rotation support
- Multiple algorithm support
- PQC integration with OQS backend
-
PKI Engine Enhancements
- Certificate generation improvements
- X.509 certificate handling
- Root CA and intermediate CA support
API Improvements
-
Enhanced API handlers in
src/api/handlers.rs- Better error handling and responses
- Request validation improvements
- Support for new PQC operations
-
Server improvements in
src/api/server.rs- Better routing and middleware integration
- Health check endpoints
- Metrics integration
Core Cryptography
-
CryptoBackend Trait Extensions in
src/crypto/backend.rs- Added PQC operations to trait
- Backend registry improvements
- Type-safe backend selection
-
AWS-LC Backend Updates in
src/crypto/aws_lc.rs- Experimental PQC support
- Code cleanup and improvements
-
RustCrypto Backend Refactoring in
src/crypto/rustcrypto_backend.rs- Simplified implementation
- Better error handling
- Testing support
Build and Dependencies
-
Updated
Cargo.tomlwith new dependenciesoqs = "0.10"for production PQC- CLI dependencies (clap, etc.)
- Enhanced feature flags
-
Updated
Cargo.lockwith dependency resolution
Changed
-
README.md - Major improvements
- Added professional badges (Rust version, License, Classical Crypto, PQC status, CI)
- Restructured with "Why SecretumVault?" positioning
- Added competitive comparison tables (vs HashiCorp Vault, vs AWS Secrets Manager)
- Added 30-second demo for quick evaluation
- Production Status section with clear backend comparison
- Quick Navigation for different user personas
- Updated feature descriptions with production status
- Corrected GitHub repository URL
- Updated roadmap with completed PQC tasks marked ✅
- Enhanced feature flags documentation
-
Configuration - Better organization
- Moved config files to
config/directory - Improved config structure and validation
- Better error messages
- Moved config files to
-
Main Entry Point - CLI integration
src/main.rsnow supports subcommands- Better argument parsing
- Config file loading
- Improved error handling
-
Build System - Feature organization
.cargo/config.tomlcleanup- Better feature flag organization
-
Documentation - Comprehensive updates
- All docs reflect production-ready PQC status
- Improved navigation and structure
- Added missing sections
Fixed
- Clippy warnings and linting issues
- Markdown formatting issues in documentation
- Pre-commit hooks configuration
- CI/CD configuration improvements
Security
- Production-ready post-quantum cryptography (ML-KEM-768, ML-DSA-65)
- Cryptographic agility through pluggable backends
- NIST PQC standard compliance
- Secure configuration defaults
[0.1.0] - 2024-12-21
Added
- Initial project structure and repository setup
- Core vault architecture with pluggable backends
- Secrets engines: KV, Transit, PKI, Database
- Storage backends: etcd, SurrealDB, PostgreSQL, Filesystem
- Cryptographic backends: OpenSSL, AWS-LC (experimental), RustCrypto (testing)
- Cedar policy-based authorization (ABAC)
- Shamir Secret Sharing for unsealing
- Token-based authentication
- TLS/mTLS support
- Prometheus metrics integration
- Structured logging
- Docker and Docker Compose deployment
- Kubernetes manifests and Helm charts
- Comprehensive documentation structure
- Pre-commit hooks and CI/CD setup
- Branding and logos
Security
- Encryption at rest for all secrets
- Least privilege via Cedar policies
- Audit logging for compliance
- Secure defaults (non-root, read-only filesystem)
Release Notes
Unreleased - Post-Quantum Cryptography Production Release
This release marks SecretumVault as the first Rust secrets vault with production-ready post-quantum cryptography. Key highlights:
🔐 Production-Ready PQC:
- ML-KEM-768 and ML-DSA-65 fully implemented via OQS backend
- NIST FIPS 203/204 compliance verified
- One-line config change to enable PQC:
crypto_backend = "oqs" - No code changes needed - cryptographic agility through pluggable backends
🚀 Enhanced Developer Experience:
- CLI for easy vault operations (init, unseal, status, server)
- Runnable examples in
examples/directory - Comprehensive how-to guides and documentation
- 30-second demo for quick evaluation
📚 Improved Documentation:
- Clear production status with backend comparison
- Competitive positioning vs HashiCorp Vault and AWS Secrets Manager
- Quick navigation for different user personas
- Architecture Decision Records (ADRs) for design decisions
🔧 Better Configuration:
- Modular config structure
- Validation and error handling
- Production config examples
This release positions SecretumVault as the premier choice for organizations deploying post-quantum cryptography today, with production-ready NIST PQC standards, multi-cloud portability, and Rust's memory safety guarantees.
Unique Differentiator: Only Rust secrets vault with production-ready post-quantum cryptography (ML-KEM-768, ML-DSA-65) available today.